Technology: The Ethics of Cloud-based Services

Despite the omnipresence of Internet-based services such as email and cloud storage, individual attorneys must determine whether use of a particular technology, product, or service meets the reasonable-standard-of-care obligation.

The practice of law has undergone significant changes in technology in the last decade. Internet (cloud)-based practice management tools, such as Clio and MyCase, and document-storage services, such as Google Drive or Dropbox, have come into existence. Attorneys have more options than ever before to store and access client and case information, track time, store files and documents online, and communicate electronically. These capabilities raise new concerns regarding attorneys' obligations under the Rules of Professional Conduct.

Even lawyers who are reluctant to adopt modern technology find that to adequately perform their duties, they must have a basic understanding of how that technology works. Storing confidential and privileged information online makes it easier for lawyers to practice anywhere, anytime, but also raises the specter of potential damage from disclosure if this information is accessed and distributed on the Internet by unauthorized individuals.

Professional Conduct Rules

The American Bar Association (ABA) Model Rules of Professional Conduct and state ethics rules are the first resources a lawyer must consult when looking for an answer to an ethics question. Unfortunately, when the rules were created, email, online services, and data storage were the realm of science fiction writers and futurists. As is too often the case, the legal profession is trying to use rules written for a different time to meet the changing needs of modern practice.

For Wisconsin attorneys, SCR 20:1.6 (Confidentiality) controls a lawyer's duty and obligation not to reveal information relating to a representation. (See accompanying sidebar.) Comment 16 to the rule states the lawyer's obligation is to "act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure...." This raises the question of what it means to act competently when using email, cloud-based services, or online storage.

Comment 17 provides some guidance: "the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients." Comment 17 also details factors to use in determining whether the measures taken are reasonable. These factors are "the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement." There is no guidance to Wisconsin attorneys as to which factors, if any, should be used in determining if a cloud-based provider or product meets the required standard and attorneys' ethical obligations. Because the rules themselves provide little or no guidance, ethics opinions also must be consulted.

States' Ethics Opinions

Recent ethics opinions from several states (but not Wisconsin) address whether it is acceptable for an attorney to use cloud computing, software as a service (also known as SaaS), and online document storage for client information and files. The opinions' consensus is that an attorney must use "reasonable care" when selecting a cloud or Internet service or product. The most recent opinion is Opinion 12–03, issued by the Massachusetts Bar Association,1 which states the following:

"Summary: A lawyer generally may store and synchronize electronic work files containing confidential client information across different platforms and devices using an Internet based storage solution, such as 'Google docs,' so long as the lawyer undertakes reasonable efforts to ensure that the provider's terms of use and data privacy policies, practices and procedures are compatible with the lawyer's professional obligations, including the obligation to protect confidential client information reflected in Rule 1.6(a). A lawyer remains bound, however, to follow an express instruction from his or her client that the client's confidential information not be stored or transmitted by means of the Internet, and all lawyers should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first obtaining the client's express consent to do so."

This opinion strikes a balance between an attorney's obligation under the rules and the realities of the commercial market as to what may be included in determining whether reasonable care was exercised.

The majority of services currently available were not created specifically for lawyers. This is significant because the ethics opinions differ as to determining what factors to consider in establishing a standard of reasonable care. For example, the Alabama State Bar Ethics Opinion 2010–02 requirement that Alabama lawyers "reasonably ensure that the provider will abide by a confidentiality agreement in handling the data"2 and the Pennsylvania requirement that a service provider "provide[] the firm with right to audit the provider security procedures and to obtain copies of any security audits performed" are unrealistic in light of the relative bargaining position of an attorney and a company such as Google.3 Massachusetts provides a simplified (and more realistic) list of factors for lawyers to consider, including the following:

"(a) examining the provider's terms of use and written policies and procedures with respect to data privacy and the handling of confidential information;

(b) ensuring that the provider's terms of use and written policies and procedures prohibit unauthorized access to data stored on the provider's system, including access by the provider itself for any purpose other than conveying or displaying the data to authorized users;

(c) ensuring that the provider's terms of use and written policies and procedures, as well as its functional capabilities, give the Lawyer reasonable access to, and control over, the data stored on the provider's system in the event that the Lawyer's relationship with the provider is interrupted for any reason (e.g., if the storage provider ceases operations or shuts off the Lawyer's account, either temporarily or permanently);

(d) examining the provider's existing practices (including data encryption, password protection, and system back ups) and available service history (including reports of known security breaches or 'holes') to reasonably ensure that data stored on the provider's system actually will remain confidential, and will not be intentionally or inadvertently disclosed or lost; and

(e) periodically revisiting and reexamining the provider's policies, practices and procedures to ensure that they remain compatible with the Lawyer's professional obligations to protect confidential client information reflected in Rule 1.6(a)."

ABA Ethics 20/20 Commission Proposals

Recognizing that technology is a topic that the current Model Rules of Professional Conduct fail to adequately address, the ABA created the Ethics 20/20 Commission, which has the goal of modernizing the model rules. Among several proposals made by the Ethics 20/20 Commission at the ABA's annual meeting in August 2012 was the request that rule 1.6 (Confidentiality of Information) be modified to include a new paragraph (c): "(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."4 This languageis similar to comment 16 of SCR 20:1.6 and provides additional clarification for attorneys. The Ethics 20/20 Commission also proposed additional language for comment 16 of the model rule, which provides in part:

SCR 20:1.6 Confidentiality

(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in pars. (b) and (c).

Comment [16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1, and 5.3.

Comment [17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

"Factors to be considered in determining the reasonableness of the lawyer's efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)."5

So where does this leave a Wisconsin lawyer? The author believes that Wisconsin lawyers should exercise reasonable care when selecting an online service or service provider using reasoning similar to that found in Massachusetts Opinion 12-03 and the Ethics 20/20 Commission recommendations for rule 1.6. A Wisconsin attorney using these guidelines must determine whether any online-service providers appear to meet these requirements of a standard of reasonable care.

Online Services and Providers

There are many online document-storage services, including Google Drive, Dropbox, Box.com, SpiderOak, and iDriveSync. Popular cloud-based practice-management services include Clio, RocketMatter, LexisNexis Firm Manager, and MyCase. Office suite applications include Google Apps and Microsoft Office Web Apps and Office 365. Examining each of these services is beyond the scope of this article, and so we consider one, Google Drive, which was considered in the Massachusetts opinion.6

Google Drive, called Google Docs at the time the Massachusetts opinion was issued, is offered in both consumer and business/enterprise versions. The Massachusetts opinion did not differentiate between consumer and business versions of this Google product. Google takes the same position for both the consumer and business versions: neither version claims ownership to your content. Specifically, Google states: "You retain ownership of any intellectual property rights that you hold in that content. In short, what belongs to you stays yours."7

There are clear distinctions between the consumer and business versions of Google Drive. The business version provides the ability to place legal holds, comply with retention policies, and conduct audits, and it contains e-discovery tools, which the consumer version does not. One senior member of the Google Apps for Enterprise team, commenting on the consumer (free) versions of Google services, advised he would "never recommend that any business, let alone any law firm, consider using their consumer product."8 There are important differences between the terms of service for the consumer and the business products, including the fact that, "If you are using Google Apps (free edition), email is scanned so we can display contextually relevant advertising in some circumstances. Note that there is no ad-related scanning or processing in Google Apps for Education or Business with ads disabled."9

Clearly, Google Apps for Business is the preferred version to ensure complying with the reasonable-care standard that lawyers face.

Also relevant to the factors listed in the Massachusetts ethics opinion are the following: Google Drive's and Google Apps for Business's specific policies regarding privacy, rules prohibiting unauthorized access to the information, Google's policies limiting use of the information a user provides for the purpose of delivering the services to the user, who has access to a user's data, how data is maintained on Google's servers, the fact that data is kept in a form that is unreadable by people, encryption when transferring documents between a user's computer and their servers, and user-defined policies. Google also has a procedure for dealing with third-party production requests, such as subpoenas.10 Google continues to deploy new security features, including a two-step verification process that requires not only a password but also another identifier, usually a code created on a user's cell phone and a special application.11

Google's business history and news stories and reports about the company provide no indication that it is in any danger of failing as a business or ceasing its core operations anytime in the near future. According to published information, Google regularly backs up user data and replicates it in numerous data centers. Google has passed internal and industry certification standards.

Using the Massachusetts ethics opinion factors, it appears that Google Drive and Google Apps for Business would be acceptable for use by attorneys and for storing confidential information. Several other online services have similar terms and may also be suitable. Although the most secure online storage system is one that would allow the end user to create the encryption key and be the only party that has access to it, none of the ethics opinions make that a requirement. Controlling the encryption key means that the documents are encrypted before being sent to the servers; no party could decrypt these files without that encryption key. This is the most secure method of protecting documents but also bears the inherent danger of losing or forgetting the encryption key, without which no one, even the provider, can decrypt these files. So if you lose or forget your encryption key your information will be lost, forever. For users who would like the added level of security that encryption provides, consider using SpiderOak (www.spideroak.com).

Nerino J. Petro Jr., Northern Illinois 1988, is the advisor to the State Bar of Wisconsin Law Office Management Assistance Program (Practice411™). He assists lawyers in improving their efficiency in delivering legal services and in implementing systems and controls to reduce risk and improve client relations. Visit the Law Practice Management area at www.wisbar.org regularly for practice management guidance. You can reach Petro at (800) 444-9404, ext. 6012, or email org practicehelp wisbar wisbar practicehelp org. Visit www.wisbar.org/practice411 for resources to help you manage your practice.

The other thing that should be clear is that for business communications, services, and storage, attorneys should avoid all consumer-level products and services, such as free email from Gmail, Hotmail, and Yahoo; free Microsoft SkyDrive online storage and the free Google Drive online-storage services; the free Google Apps (to the extent you will use the free Google Drive they incorporate); and the free Microsoft Office Web Apps (it also uses SkyDrive).

Conclusion

Ultimately, whether a specific Internet/cloud product or service meets a standard of reasonable care is a question that must be answered by each attorney until more definitive guidelines are provided. A key factor to remember is that none of the ethics opinions issued require extraordinary efforts or a 100 percent guarantee that information will not be inadvertently disclosed; instead, they require that attorneys use reasonable care in selecting a service provider to handle this confidential information.

5Id. at 4-5. The ABA House of Delegates approved the recommendations of the Ethics 20/20 Commission, including those in Recommendation 105A, which include the changes to Rule 1.6. See ABA press release at http://bit.ly/PHgzb1.

6 Google Docs is now included in Google Drive, which stores not only documents created in Google Apps but also documents and files created by an end user and uploaded to the Google Drive service.

10 Information provided at April 27, 2012, meeting at Google headquarters. Google has a whitepaper available on how it handles third-party requests for production but the company requires execution of a nondisclosure agreement before it will provide the whitepaper.